Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AntoineDelrue
Explorer

Check Point RA VPN : force the use of a specific user certificate in Windows Store

Hi,

Recently, we enabled the user certificate authentication method, as long with username & password. The user certificates are pushed by the Active Directory via GPO, and come from the ADCS role within our network.

This is working fine, the username field is populated automatically in Check Point Endpoint Security, and it validates the user's certificate alright.

However, some of our users have several certificates in their user store. We need to find a way to force the VPN client to use a specific certificate, based on specific criteria (regex, or else). 

I found no resource on how to control which certificate is being used by the client. It seems to picks it up automatically.

Anybody have an idea on how we can achieve our goal ?

Thanks in advance.

Regards,

Antoine.

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Are you doing a user certificate or a machine certificate?
I know in the case of a machine certificate, we automatically choose one, I believe based on latest expiration date.
In that case, there is no mechanism to choose a different certificate.

AntoineDelrue
Explorer

Hi,

Thanks for your comment. We are only using user certificates, not machine certs.

The certificates we want to choose come from internal ADCS CA.

Thanks in advance. 

0 Kudos
AndreiR
Employee
Employee

Hi @AntoineDelrue ,

Assuming you use Check Point VPN client for Windows desktop.

At this moment VPN client does not provide capability to pre-define which certificate to use from CAPI store. But in the next release which is expected in October we are introducing a new feature which exactly fits you needs. Administrator will be able to define criteria to filter certificates which client display as available for user authentication. You will be able to specify, for example, pattern of DN or Extended Key Usage or Certificate Template and the client will display only those certificates which match your criteria.

Watch for updates of Endpoint Security Homepage:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Ob1lan
Collaborator

Hi @AndreiR ,

Thanks, I'll be looking forward this new release ! Once it's tested and confirmed it works as expected, I'll close this topic.

Regards,

Antoine

0 Kudos
Ob1lan
Collaborator

Hi @AndreiR ,

Client E84.00 released a couple of days ago. I checked, and couldn't find any where that option to define how the cert will be chosen. 

In the release note, only new feature listed is newer version of Windows 10 supported.

Could you please tell me how I can define how the VPN client might select the user cert ?

Thanks in advance.

Regards

0 Kudos
Ob1lan
Collaborator

Hi @AndreiR ,

Any news regarding the option to force the client to select a certificate based on a given pattern ? I don't find this option in R84.0.

Thanks in advance.

Regards,

Antoine

0 Kudos
MattElkington
Contributor

Hi Andrei,

Did this update ever occur?  Is there a solution for pre-selecting CAPI certs?

I have search through the Endpoint Security Homepage for any mention of CAPI and there seems to be nothing new in regards to it.

Thanks

0 Kudos
Norbert_Bohusch
Advisor

If the certificate in CAPI has a DN which can be distinguished from others, you can do the following, by script started through GPO or similar (here with a PowerShell example).

With this procedure it selects the string based on your pattern and connects. As the VPN client saves the last successfully used certificate for the next connect, afterwards you don't have to select it manually.

Here the parts of the script:

1. Get the list of certificates available to Check Point Client and select the right certificate by pattern:

cd C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect

$myvar=.\trac.exe list |Select-String -Pattern xyz

 

2. Fetch the DN String from this Output:

$dnstring = $myvar.ToString().Trim()

 

3. Connect to the Site using the DN and disconnect afterwards:

.\trac.exe connect -s "<sitename>" -d $dnstring

.\trac.exe disconnect

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events